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Introduction 


1. The Information Commissioner has responsibility in the UK for promoting and 
enforcing the Data Protection Act 1998 (DPA 98), the Freedom of Information 
Act 2000 (FOIA), the Environmental Information Regulations 2004 (EIR) and 
the Privacy and Electronic Communications Regulations 2003, as amended 
(PECR). The Commissioner also provides a complaint handling function for the 
Re-use of Public Sector Information Regulations and the INSPIRE Regulations; 
and is the UK supervisory body for the Electronic Identification and Trust 
Services for Electronic Transactions (eIDAS) Regulations. She is independent 
of government and upholds information rights in the public interest, 
promoting openness by public bodies and data privacy for individuals. The 
Commissioner does this by providing guidance to individuals and 
organisations, solving problems where she can, and taking appropriate action 
where the law is broken. 


Overview 


2. The Commissioner welcomes the Data Protection Bill because it puts in place 
one of the final pieces of much needed data protection reform. It is vital that 
this Bill reaches the statute book because it introduces strong safeguards for 
protecting individuals’ personal data. Effective, modern data protection laws 
with robust safeguards are central to securing the public's trust and 
confidence in the use of personal information within the digital economy, the 
delivery of public services and the fight against crime. 


3. The Bill provides an essential legislative framework to deliver greater 
protections for the public and enhanced obligations for organisations. The 
Commissioner believes strong privacy legislation and an effective regulator 
can make a difference to the level of trust people have in what happens to 
their personal data and this is fundamental to them engaging in the digital 
economy. 


4. It is important that the Bill is also seen in the context of European Union data 
protection reform. The General Data Protection Regulation (GDPR)* has direct 
effect and will be relevant to most processing of personal data. This means 
that for most organisations the Bill has to be read alongside the GDPR in 
order to understand the full legislative framework that applies to them. 


5. The Bill also transposes into UK law another key element of the EU reform 
package - Directive 2016/680, known as the Law Enforcement Directive 


1 The GDPR replaces at EU level the 1995 directive on data protection [Directive 95/46/EC]. Its provisions 
will apply from 25 May 2018. 


(LED).* It does not have direct effect and designated competent authorities 
involved in processing personal data for law enforcement purposes need to 
comply with those provisions in Part 3 of the Bill. Part 4 of the Bill also 
ensures that a data protection regime applies to the Intelligence Services. 
Including these provisions in a single piece of primary data protection 
legislation is welcome. 


6. The Commissioner welcomes the Government’s commitment in the 
Explanatory Notes that the Bill and the GDPR will substantively apply the 
same high standards to the majority of data processing in the UK, in order to 
create a clear and coherent data protection regime. She also supports the 
Government’s aim to replicate provisions of the DPA where there is discretion 
to introduce derogations and national implementing measures. Many of these 
provisions and exemptions have stood the test of time and are well 
understood by data controllers but she also welcomes the refinements and 
improvements that have been made to modernise the legislation. 


7. The Commissioner is engaged to ensure the UK data protection regulatory 
landscape is clear and will Support all organisations committed to good 
practice. The GDPR regime represents a step change in data protection but 
the Bill provides a significant amount of continuity with DPA 98 and is an 
important evolution building on foundations already in place for the last 20 
years. 


8. With regard to the data protection reform package she will work to prepare 
stakeholders in all sectors for the transition to the new regulatory regime. 
This includes guidance for small businesses that process very little personal 
data. She will also work to ensure the public understand their rights and how 
to exercise them. The ICO has a dedicated section on its website which 
includes guidance on the GDPR and steps organisations can take to prepare 
for data protection reform °. 


9. The Bill provides important powers for the Commissioner. Her approach will 
be to encourage and inspire good practice and compliance but will make 
proportionate and effective use of the regulatory sanctions provided in the Bill 
where unlawful practices need to be halted, rectified or exposed. 


10. Whilst the Bill is not designed to address the UK’s data protection regime post 
Brexit the Commissioner notes that passing the Bill will send an important 
signal about the UK’s commitment to a high standard of data protection post 
Brexit. This in turn will play a role in ensuring uninterrupted data flows 


? http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1506692783409&uri=CELEX:32016L0680 


3ICO website section on data protection reform https://ico.org.uk/for-organisations/data- 


protection-reform/ 


between the UK and the EU. The Commissioner also recognises the 
importance of the UK having a strong relationship with other EU data 
protection regulators post Brexit, including the European Data Protection 
Board, to enable cross border enforcement. 


Derogations 


11. 


12. 


13. 


Numerous articles of the GDPR give Member States the discretion to vary the 
law in a number of areas including Article 23 which allows member states to 
restrict rights and obligations for processing related to national security, 
defence public security and others. Some of these derogations relate to 
detailed, technical matters but others are central to the functioning of an 
effective data protection regime - for example those dealing with balancing 
fundamental rights like freedom of expression and privacy, or the 
modification of subject access rights in differing contexts. 


The introduction of national derogations is a matter of key significance for the 
Commissioner and in her response to the Government’s call for views* on the 
GDPR derogations, she advised that the national discretions available should 
be considered as part of a proportionate and risk based approach to 
individuals’ information rights. The Commissioner welcomes the engagement 
she and her staff have had with Government on matters relating to 
implementation of the GDPR and the transposition of the LED and is satisfied 
that the provisions in the Bill should ensure that an effective framework for 
the protection of individuals remains in place. 


The Commissioner’s general approach to the derogations is to favour 
replicating existing exemptions and measures under the DPA 98 where 
experience shows that they work satisfactorily. This will minimise disruption 
and bring certainty and coherence to the data protection regulatory regime. 
She supports the introduction of new derogations only where she believes this 
to be necessary for the effective functioning of the GDPR or where there is a 
clear need. 


* https://ico.org.uk/media/about-the-ico/consultation-responses/2017/2014036/ico-response- 


dcms-derogarations-consultation-20170510.pdf 


Commissioner’s part-by- part commentary on the Bill 


Part one: Preliminary 


14. The Commissioner recognises the complexity of the domestic legislation, 
which has resulted in the need to read across various provisions including 
between those within the Bill as well as between those in the GDPR. The 
Commissioner has made a number of recommendations to improve the Bill 
and is pleased that Government has responded positively towards many of 
these points. There may perhaps be further opportunities to make additional 
technical improvements in some areas by amendment. 


Part two: General processing 


Chapter two: The GDPR - Clause 8: Child’s consent in relation to 
information society services 


15. The Bill provides that the age of consent of children using information society 
services should be 13 years. Under the GDPR a child under the age of 16 
cannot give valid consent to the processing of their personal data for the 
provision of the service, unless the law of their Member State provides a 
lower age (to be no lower than 13). The use of this discretion should be 
consistent with wider public policy in all parts of the UK on the autonomy of 
the child and the age when they can acquire and exercise rights for 
themselves. 


16. The Commissioner’s submission to the House of Lords Select Committee on 
Communications’ Inquiry into Children? and the Internet makes clear that, on 
balance, the Commissioner favours an approach where even quite young 
children can access appropriate online services without the consent of a 
parent or guardian, provided organisations have other safeguards. 


Chapter three: Other general processing -— Clause 24: National security 
and defence exemption 


17. The existing similar exemption at section 28 of the DPA is confined to just 
national security. Clause 24 extends this parallel provision to defence. The 
Commissioner understands that “the purposes of defence” would not be a 
catch-all term covering everything the Ministry of Defence does, but is more 
narrowly focussed in its application. The Commissioner shall follow the debate 


5 https://ico.org.uk/media/about-the-ico/consultation-responses/2016/1625002/house-of-lords- 
children-and-the-internet-ico-response-20160901.pdf 


on this clause with interest so that she can continue to be reassured that the 
intent is clear and apparent. 


Part three: Law enforcement processing 


18. 


19. 


20. 


As mentioned in the Overview, the Commissioner supports the government’s 
approach to transposing the LED into UK law through the Data Protection Bill 
as a single piece of primary legislation. This makes it more straightforward for 
those who may process personal data falling within the different parts of the 
Bill rather than having to consult multiple pieces of legislation. 


The application of the Law Enforcement Directive to all law enforcement 
processing by competent authorities (or others who have statutory functions 
for any of the law enforcement purposes) also ensures consistent standards 
without making artificial technical distinctions between specific law 
enforcement activities. 


A number of competent authorities will process personal data covered by the 
different parts of the Bill. The measures to ensure consistency with GDPR, for 
example on timeliness of responding to subject access requests, are 
welcome. 


Clause 41: Overview and scope (of data subject rights) 


21. 


The Bill provides for restrictions to data subject rights in relation to the 
processing of ‘relevant personal data’ contained in documents relating to 
criminal investigations or prosecution proceedings that are created by or on 
behalf of a court or other judicial authority. The Commissioner recognises 
there are other alternative routes to obtain information such as through the 
disclosure provisions in the Criminal Procedure and Investigations Act 1996. 
However the provision, as drafted, restricts not just access rights but the 
right to rectification, right to erasure and restriction of processing. The 
Commissioner would welcome greater clarification on the policy intent behind 
this restriction on individuals being able to approach the Information 
Commissioner to exercise their rights. 


Part four: Intelligences service processing 


22. The Commissioner welcomes the inclusion of the processing of personal data 


by the intelligence services and recognises that it was not strictly necessary 
to include provisions in the Bill because national security matters are outside 
the scope of EU law. Ensuring an effective data protection regime for such 
activities is important. 


23. The provisions are based on internationally recognised data protection 
standards in the Council of Europe’s Convention for the Protection of 
Individuals with regard to Automatic Processing of Personal Data® 
(Convention 108) that covers such intelligence processing activities. This 
convention dates back to 1981 and is currently being modernised. This 
revised version has yet to be agreed and it is important that all the 
modernisation elements are properly reflected to ensure that safeguards are 
commensurate with the risks. 


24. There is the opportunity for the additional safeguards to be incorporated 
beyond those enshrined in a modernised Convention 108. Ensuring 
appropriate transparency, to the extent that this is possible, is important. The 
provisions at Part 4 include an exemption where required for safeguarding 
national security. There may be concerns that this provision will be widely 
used and much of the work of the intelligence services will be taken outside of 
these safeguards. Consideration could be given to requiring any minister 
issuing certificates under clause 109 to publish information about the issuing 
of such certificates, if only the numbers issued. Such an approach could be 
applied to the parallel provisions at clauses 25 and 77. 


Part five: The Information Commissioner 


25. The Bill provides welcome confirmation that there will continue to be an 
independent Information Commissioner responsible for regulating the GDPR 
and its domestic variant, and who will also be the supervisory authority in the 
UK for the law enforcement provisions set out in Part 3, and the designated 
authority for the UK under Convention 108. Part 5 of the Bill, along with 
Schedule 12, sets out important provisions for the Commissioner, including 
that she must be consulted on legislative and other measures that relates to 
personal data processing. 


26. The provisions also include general functions under GDPR such as safeguards 
and powers in connection with the Commissioner's international role including 
co-operation and mutual assistance between supervisory authorities under 
the GDPR. It is important that the Commissioner continues to play a full part 
in EU data protection working groups and boards until the UK leaves the EU, 
and works closely with EU partners and institutions once the UK has left. 


ê Council of Europe’s Convention for the Protection of Individuals with regard to Automatic 


Processing of Personal Data https://www.coe.int/en/web/conventions/full-list/- 
/conventions/rms/0900001680078b37 


27.In response to the DCMS call for views the Commissioner advised she should 


28. 


retain the investigatory, corrective, authorisation and advisory powers 
currently provided for under DPA 98 but also sought a power to co-operate 
with other supervisory authorities and enforcement bodies outside of the EEA 
and beyond those covered by Convention 108, in appropriate circumstances. 
The Commissioner therefore welcomes the provisions in clauses 116-118 ona 
further international role in relation to countries outside the European Union 
and with international organisations. 


One of the Commissioner’s key strategic priorities is to maintain and develop 
influence within the global information rights regulatory community. Data 
protection regulation has an increasingly international dimension. Effective 
protection of the UK public's personal data becomes increasingly complex and 
less visible as data flow across borders so the UK needs a regulator with 
global reach and influence.’ 


Part six: Enforcement 


29. The Bill continues to provide the Commissioner with the powers to ensure 


personal data is properly protected. These powers are designed to promote 
compliance with the legislation and include criminal prosecution, financial 
penalties, non-criminal enforcement and, in some circumstances, audit. The 
Commissioner intends to continue to use her enforcement powers 
proportionately and judiciously. She will continue to adopt a targeted, risk- 
driven approach to regulatory action - not using her legal powers lightly or 
routinely, but taking a tough and purposeful approach on those occasions 
where that is necessary. Clause 153 of the Bill requires the Commissioner to 
provide guidance on how she proposes to take regulatory action. 


30. The Commissioner is pleased that she will continue to be able to impose 
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m. 


administrative fines rather than requiring such penalties to be imposed on her 
behalf by the competent national court. Issuing fines has always been and 
will continue to be a last resort and the Bill continues to provide her with a 
number of other regulatory tools including information and enforcement 
notices. 


.On occasions it is not the data controller that is responsible for data 


protection breaches; it is an individual acting in contravention of an 
organisation's policies and procedures, or an individual who obtains 
information from an organisation without their knowledge or consent. 
Previously the Commissioner has made strong calls for custodial sentences for 
Section 55 DPA 98 offences; however she recognises that such offences 


7 ICO International Strategy 2017-2021 https://ico.org.uk/media/about-the- 


ico/documents/2014356/international-strategy-03.pdf 


under the Bill will be treated as recordable offences. It is welcome that the 
offences will be recordable as serious criminal offences, which accords with 
the Commissioner’s response to the DCMS call for views®. 


32. The Bill introduces two new offences: the re-identification of de-identified 
data and alteration of personal data to prevent disclosure. The Commissioner 
welcomes these important safeguards for individuals. 


Clause 162: Re-identification of de-identified personal data 


33.In her evidence to Parliament during the passage of the Digital Economy Act 
2017, the Commissioner recommended that Government consider stronger 
sanctions for deliberate and negligent re-identification of anonymised data. 
She is pleased that the government has included such an offence for 
knowingly or recklessly re-identifying de-identified personal data without the 
consent of the data controller. The rapid evolution of technology and growth 
in the digital economy has led to a vast increase in the availability and value 
of data. There is a clear need for extensive data processing to be 
accompanied by robust safeguards to guard against misuse and uphold the 
law. 


34. The offence is accompanied by appropriate defences including that the re- 
identification was necessary for the purpose of preventing or detecting crime; 
was justified in the public interest in particular circumstances; or the person 
had the consent of the data controller. There are good reasons to have these 
defences - for example, for organisations testing security and anonymisation 
techniques. This would allow security testing and research to take place in 
appropriate circumstances. 


Clause 140: Assessment notices 


35. Assessment notice powers were granted to the Information Commissioner via 
the Coroners and Justice Act (2009)°, requiring certain bodies to submit to 
inspection of their data protection practices. The Commissioner is pleased 
that under clause 140, she may issue an assessment notice to any data 
controller or processor to require them to permit the Commissioner to carry 
out an assessment of whether they have complied with data protection 
legislation, with some appropriate restrictions set out in clause 141. 


8 https://ico.org.uk/media/about-the-ico/consultation-responses/2017/2014036/ico-response- 
dcms-derogarations-consultation-20170510.pdf 


? Coroners and Justice Act 2009 amended DPA to introduce s41a (Assessment Notices). 


36. The ability to require organisations to submit to inspection of their data 
protection practices is, in her view, an appropriate, necessary and 
proportionate measure in order to ensure compliance with the regulation and 
to maintain the confidence of the general public. It is welcome that the 
provisions in the Bill are applicable to all organisations processing personal 
data, in contrast to the current overly restrictive approach under the DPA 98. 


Clause 164: The Special Purposes 


37. Under Article 85 of the GDPR Member States have to create exemptions in 
relation to the processing of personal data for journalistic purposes and for 
academic, artistic or literary expression. The Commissioner’s general 
approach is that the key elements of the DPA 98 should remain but in 
response to the Government's call for views did request the government to 
make a relatively proportionate change to the ICO’s ability to make a 
determination on the processing of personal data for individuals. 


Part Seven: Supplementary and final provision 


Clause 173: Representation of data subjects 


38. The Commissioner welcomed the provisions in Article 80.1 of the GDPR that 
give greater ability for civil society and other representative bodies to act on 
behalf of citizens. She supports how these arrangements are now set out in 
clause 173 of the Bill. 


39. The Commissioner is also in favour of 80.2 of the GDPR which enables 
Member States to allow such bodies to bring complaints to the ICO for 
consideration where they are not being instructed to act as the representative 
of a directly affected data subject. This is important because individuals 
increasingly do not know what is happening to their data. The ICO already 
has an open approach to complaints submitted by civil society bodies but 
understands that they may feel reassured by providing for a legal basis for 
pursuing matters independent of a particular individual. 
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Looking ahead 


40. Further amendments will be tabled, including those from Government, during 
the passage of the Bill through Parliament. The Commissioner may amplify 
this commentary to provide her views on these as necessary. The 
Commissioner will be providing her own input as necessary during the 
legislative process. 


Elizabeth Denham 
Information Commissioner 
9 October 2017 
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